SQLite Forensic Fundamentals

2 Days – 16Hrs

Cost: $1,195

Participants will receive

2-Days of Instruction
Course Manual
Practical Files
Attendance Certificate

SQLite Forensics Fundamentals 2024

Damien Attoe

Damien Attoe

Lead Developer

Before joining Spyder Forensics, Damien was a Managing Consultant at AccessData where he managed eDiscovery and digital forensics projects and provided services to companies in various industries including the Health Care, Energy, and Financial industries. Prior to that, Damien was a Computer Crime Specialist at the National White Collar Crime Center where he conducted digital forensic research and performed software validation studies on digital forensic software

Course Objectives

Students will gain knowledge of how relational databases function in the storage of records and fields of information to support a front-end application. SQLite data structures will be covered in detail, whereby the attendee will learn how SQLite databases store data and the potential for recovering data from Freelist pages and page unallocated space within the main database file and journal files.

Students will examine SQLite databases commonly found on Mac, Windows, Android, and iOS devices.

We will use a variety of open-source tools to examine key artifacts through multiple hands-on labs and student exercises.

Primary Learning Objectives

    SQLite Forensic Fundamentals - Day 1

    Day 1 of the Spyder Forensics SQLite Forensic Fundamentals course begins with an overview of the course along with an introduction to the Instructor.

    Following on from this we will look at SQLite Database files and discuss the different SQLite page types, such as B-tree pages, Overlow pages and Freelist pages.

    During this module we will introduce the SQLite Database files and discuss the main database file header.

    At the conclusion of this module, you will be familiar with the different files associated with an SQLite Database, the different SQLite page types, and understand the structure of the main database file header.

     

    • Introduction to SQLite data files
    • Main Database File
      • Discuss different SQLite page types
      • Explore the main database file header

    Instructor Led Lab

    In this hands-on, instructor-led lab, participants will dive into the foundational aspects of SQLite data files. This lab is designed to introduce forensic investigators and analysts to SQLite databases, which are frequently encountered in mobile devices, applications, and various platforms.

    Instructor Led Lab

    This lab, Introduction to SQLite B-tree Pages, provides a focused exploration of SQLite’s B-tree page structures. Participants will analyze the page header, interpret the Cell Pointer Array, and understand its role in organizing data. The lab also covers unallocated space, mapping the Cell Content Area, and examining freeblocks. By the end, participants will gain practical knowledge of B-tree page mechanics, critical for advanced SQLite forensic analysis.

      During this module we will deep dive into the structure of SQLite B-Tree Pages.

      At the conclusion of this module you will understand the general structure of an SQLite B-tree page, and the possibilities when it comes to recovering deleted records.

       

      • Introduction to SQLite B-tree pages
      • Explore the different SQLite B-tree page structures
        • Define Page Header
        • Learn how to interpret the Cell Pointer Array
        • Examine Page Unallocated Space
        • Map Cell Content Area
        • Explore Freeblocks

      This module will focus on SQLite Overflow pages and Freelist Pages.

      At the conclusion of this module students will understand how Overflow Pages and Freelist Pages are used in SQLite databases and the possibilities for recovering deleted records.

       

       

      • Learn how overflow pages are used
        • Explore page structure
      • Learn how to identify freelist pages in a database
      • Explore the freelist truck page structure
      • Discuss the importance of Freelist Pages in an Investigation

      Instructor Led lab

      This lab covers the use of overflow pages in SQLite databases, focusing on their structure and role in handling large data entries. Participants will learn to identify freelist pages and examine the freelist trunk page structure, which stores unallocated space. The lab highlights the forensic importance of freelist pages, as they often contain crucial remnants of deleted data.

      SQLite Forensic Fundamentals - Day 2

      Day 2 of the course will see us learning about how SQLite Rollback Journals work and how they are used in SQLite databases along with their relevance in a investigation. We will follow this with a look at SQLite Write-Ahaead Logs and their forensic relevance.

      Concluding the days instruction is a discussion on SQLite Secure_Delete and again as with previous elements of the course, its implications in a forensic examination.

      During this module we will be learning about how the SQLite Rollback Journals work.

      At the conclusion of this module students will understand how Rollback Journals are used in SQLite databases and their forensic relevance of them during an investigation.

       

       

      • Learn how SQLite Rollback Journals Work
      • Examine the File Structure
      • Understand the Forensic Relevance of Rollback Journals

      Instructor Led lab

      This lab explores SQLite rollback journals, focusing on their file structure and role in maintaining database integrity during transactions. Participants will learn the forensic relevance of rollback journals, as they often store uncommitted data, providing critical insights into deleted or unsaved changes in an investigation.

      Instructor Led Lab

      This lab covers the function of Write-Ahead Logs (WAL) in SQLite databases, examining their file structure and role in logging transactions. Participants will learn the forensic importance of WAL files, which can contain uncommitted transactions and reveal recent changes or deleted data.

        During this module we will be learning about how SQLite Write-Ahead Logs work.

        At the conclusion of this module students will understand how Write-Ahead logs are used in SQLite databases and their forensic relevance during an investigation.

         

        • Learn how Write-Ahead Logs (WAL) Work
        • Examine the File Structure
        • Understand the Forensic Relevance of WAL Files

        During this module, we will discuss SQLite Secure_Delete and its implications in a forensic examination.

        At the conclusion of this module students will understand how SQLite secure_delete works and how to use the journal files to potentially recover secure_delete information.

         

         

        • Understand the concept of secure_delete
        • Discuss the Forensic implications
        • Using the journal files to recover secure-deleted records

        Instructor Led lab

        This lab covers SQLite secure_delete, which overwrites deleted data to prevent recovery. Participants will explore the forensic implications of this feature and learn techniques for using journal files to potentially recover secure-deleted records, offering insights into erased data cases.

        24 February, 2025
        Monday

        Advanced Applied Database Forensics (Live Remote – CST – February 2025)

        9:00 am - 5:00 pm
        REGISTER
        07 April, 2025
        Monday

        Advanced Applied Database Forensics (Live Remote – GMT – April 2025)

        9:00 am - 5:00 pm
        REGISTER
        21 July, 2025
        Monday

        Advanced Applied Database Forensics (Live on-site – Pittsburgh, PA – July 2025)

        611 Washington Road Mt. Lebanon, Pennsylvania 15228
        9:00 am - 5:00 pm
        REGISTER
        17 November, 2025
        Monday

        Advanced Applied Database Forensics (SQLite – LevelDB – ESE – Plist) – Live Remote, Nov 2025

        9:00 am - 5:00 pm
        REGISTER